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Computing abstractions of nonlinear systems 

Gunther ReiBig* 



Abstract 



Sufficiently accurate finite state models, also called symbolic models or discrete ab- 
stractions, allow one to apply fully automated methods, originally developed for purely 
discrete systems, to formally reason about continuous and hybrid systems, and to design 
finite state controllers that provably enforce predefined specifications. We present a novel 
algorithm to compute such finite state models for nonlinear discrete-time and sampled systems 
which depends on quantizing the state space using polyhedral cells, embedding these cells 
into suitable supersets whose attainable sets are convex, and over-approximating attainable 
sets by intersections of supporting half-spaces. We prove a novel recursive description of 
these half-spaces and propose an iterative procedure to compute them efficiently. We also 
provide new sufficient conditions for the convexity of attainable sets which imply the existence 
of the aforementioned embeddings of quantizer cells. Our method yields highly accurate 
abstractions and applies to nonlinear systems under mild assumptions, which reduce to 
sufficient smoothness in the case of sampled systems. Its practicability in the design of discrete 
controllers for nonlinear continuous plants under state and control constraints is demonstrated 
by an example. 

Index Terms 

Discrete abstraction, symbolic model, nonlinear system, symbolic control, motion planning, 
formal verification, polyhedral over-approximation, attainability, attainable set; MSG: Pri- 
mary, 93C10; Secondary, 93C55, 93C57, 93C15, 93B03 

I. Introduction 

In recent years, there has been a growing interest in using finite state models for the 
analysis and synthesis of continuous and hybrid systems [l]-[9]. This interest has been 
stimulated by safety critical applications [10], inherent limits of continuous feedback con- 
trol [11, Sections 5.8-5.10], increasingly complex control objectives [12], and the necessity 
to cope with the effects of coarse quantization [13]. A sufficiently accurate finite state 
model, also called a symbolic model or discrete abstraction, would allow one to apply 
fully automated methods, originally developed for purely discrete systems [14]-[16], to 
formally reason about the original system, and to design finite state controllers that 
provably enforce predefined specifications [2]-[9]. Obtaining such abstractions constitutes 
a challenging problem, which has only been satisfactorily solved for special cases. 

Under the name symbolic dynamics, finite state models of continuous systems had 
already been a well-established mathematical tool [17] when the concept appeared in the 
engineering literature [18], [19]. Much of the subsequent research has been devoted to 
systems whose continuous-valued dynamics is linear. Methods for nonlinear systems 
have been systematically studied since around 1980; see [1], [4]-[9]. In the earliest 



*Universitat Kassel, Fachbereich 16 - Elektrotechnik/Informatik, Regelungs- und Systemtheorie, Wil- 
helmshoher Allee 73, D-34121 Kassel, Germany, http://www.reiszig.de/gunther/ 

This work has been accepted for publication in the IEEE Trans. Automatic Control. Copyright may be 
transferred without notice, after which this version may no longer be accessible. Please refer to author's homepage 
and to IEEE Xplore for the definite publication. You may also find a BibT^rjX entry at the former website. 



Gunther ReiBig 



Computing abstractions of nonlinear systems 



2 



such approach [20], attainable sets are approximated by means of trajectories emanating 
from a finite set of initial points, hence the name sampling method [20]. This method 
has been successfully applied to a variety of problems [1], [4]-[8], [21]-[23], including 
symbolic control of sampled systems [23], [24]. An extension allows for rigorous over- 
approximation of attainable sets [25], and thus, for the computation of abstractions. Over 
the years, a large number of alternatives to the sampling method have been proposed, 
which represent a variety of compromises between approximation accuracy, practicability, 
rigor, and computational complexity [23], [26]-[42]. 

In the present paper, we aim at computing abstractions for nonlinear discrete-time 
systems of the form 

Xk+i^G{xk,Uk), (1) 

where the state x takes values in a subset of M", and u is an input signal which is assumed 
to take its values in some finite set U. If (1) arises from a continuous-time system 

x^F{x,v) (2) 

under sampling, its right hand side G may not be explicitly given. Our results will still 
apply as wc will formulate hypotheses to be verified and computations to be performed 
directly in terms of the right hand side F of (2). 

The approach we follow involves quantizing the state space of (1) with the help 
of a finite covering C of IR" whose elements we call cells [l]-[9]. The system (1) is 
supplemented with a quantizer Q which assigns to any state x of (1) the coUection of 
those cells in C that contain x, Q{x) = {A G C \ x G A}. That is, a pair (m. A) of an 
input signal Uo,Ui, . . . and an output signal Aq. Ai. . . . could possibly be generated by 
the quantized system composed of (1) and the non-deterministic output relation 

Afc e Q{xk) (3) 

iff there exists a sequence Xq,Xi,... such that (1) and (3) hold for all non-negative 
integers k^. The collection of such pairs («, A) is called the behavior of the quantized 
system (1),(3) [43]. 

The input alphabet U and the output alphabet C of the quantized system (1),(3) are 
both finite. Control problems for (1),(3) can still be challenging to solve, especially if the 
system (1) is nonlinear and the specification involves constraints or is otherwise complex. 
In contrast, controllers (or supervisors) for finite automata are generally straightforward 
to design [14], [16], which raises the question of whether controllers for the quantized 
system (1),(3) can be obtained by solving auxiliary control problems for automata that 
approximate the behavior of (1),(3). As it turns out, this strategy is feasible if the 
approximation is both conservative and sufficiently precise, e.g. [3], [44]-[46]. That is, 
the automaton must be capable of generating any signal in the behavior of (1),(3), and 
the set of spurious signals should be small. In other words, the said strategy requires a 
discrete abstraction, by which we mean a superset of the behavior of (1),(3) that can be 
realized by a finite automaton, and this abstraction should be as accurate as possible. 

One way to prescribe the accuracy of an abstraction is to restrict the extent by which 
its signals are allowed to violate the dynamics of (1),(3). While, by definition, signals 
in the behavior of the quantized system (1),(3) are consistent with the dynamics of 
(1),(3) at all times, a common class of abstractions require consistency only on finite 

^The symbols u, x and A are used to denote elements of U, M" and C, respectively, as well as signals taking 
their values in these sets. 
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Figure 1. (a) Illustration of consistency with the dynamics of the quantized system (1),(3) on finite time 
intervals, (b) Quantizer cells may serve as states of automata realizations of abstractions of memory span 1, 
where transitions are defined by condition (4). 



time intervals [44], [45]. Such an abstraction contains any pair ("U, A) that fulfills the 
following condition, in which the memory span N > 1 determines the accuracy [43]: For 
any non-negative integer t there are states Xt, . . . , Xt+N such that (1) and (3) hold for all 
A; e {t, t + 1, . . . , t + - 1} and A; e {t, t + 1, . . . , t + A^}, respectively. See Fig. 1(a). 

In the case that = 1, consistency of (u. A) is equivalent to the existence of a sequence 
Xo, Xi, . . . for which 

Xk e Afc and G{xk,Uk) G Afc+i (4) 

hold for all k. Hence, the cells in the covering C may serve as states of an automaton 
realization of the abstraction, where the occurrence of an input symbol Uk & U enables 
a transition from A^ G C to Afc+i e C iff there is a state Xk of (1) such that (4) holds. 
Obviously, that automaton will be capable of generating any pair of signals u and A in 
the behavior of (1),(3). The fact that it will generally also generate spurious signals is 
illustrated in Fig. 1(b). If (1) requires the sign of the second component of the state 
to be constant, then the sequence Aq, Ai, A2, ... of cells generated by the automaton is 
not consistent with the dynamics of (1),(3). In contrast, consistency of (u. A) for N > 1 
requires, amongst other conditions, that (4) holds with Xi = G{xo,Uo), which rules out 
the spurious signal Aq, Ai, A2, ... of Fig. 1(b). Indeed, increasing the memory span 
generally results in more accurate abstractions. 

In this paper we shall present a novel algorithm to compute abstractions of finite but 
otherwise arbitrary memory span that builds on a well-known reformulation of consistency 
on finite time intervals in terms of attainable sets [44], [45], on a new method to compute 
polyhedral over- approximations of the latter, and on new results that guarantee the 
convexity of attainable sets of (1) and (2). 

In our approach, polyhedral quantizer cells are embedded into suitable supersets whose 
attainable sets under the dynamics of (1) are convex for the duration of A^ time steps, 
where A^ is the memory span of the abstraction that is being computed. That convexity 
requirement permits us to over-approximate attainable sets by intersections of supporting 
half-spaces, and the latter are obtained from systems of linear equations derived from 
(1). The number of half-spaces needed can be quite large, especially if the memory span 
exceeds 1. We present a novel recursive description of these half-spaces and propose an 
iterative procedure to compute them efficiently. 

The existence of the aforementioned embeddings of quantizer cells is, in fact, the 
essential requirement for our method to apply. The results in this paper not only allow 
verification of that requirement when a particular quantizer is given, but they also show 
how to meet it using sufficiently small but otherwise arbitrary polyhedral cells. We use 
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strongly convex supersets of quantizer cells, and the error by which we over- approximate 
attainable sets depends quadratically on the size of the cells. Application of our earlier 
results [47], [48] on ellipsoidal supersets would have led to linear error bounds. Thus, 
the accuracy of the computed abstractions is improved if a particular quantizer is given. 
Alternatively, fewer and larger cells may be used, which reduces the computational effort 
to compute abstractions and also reduces the complexity of controllers designed on the 
basis of the latter. These results arc obtained under mild assumptions on the right hand 
side G of (1), which reduce to sufficient smoothness in the case of sampled systems. 

The remaining of this paper is organized as follows. The next section introduces basic 
notation and terminology. In Section III we present our algorithm for the computation of 
abstractions, prove its correctness, and analyze its computational complexity. Section IV 
is devoted to our results on the convexity of attainable sets. In Section V, practicability 
of our approach in the design of discrete controllers for nonlinear continuous plants 
under state and control constraints is demonstrated by an example. We also present 
computational results on how the computational effort of our approach grows with the 
problem size. 

II. Preliminaries 

A. Basic notation 

R and Z denote the sets of real numbers and integers, respectively, M+ and their 
subsets of non-negative elements, and N = Z_|_ \ {0}. [a, 6], ]a, 6[, [a, 6[, and ]a, h] denote 
closed, open and half-open, respectively, intervals with end points a and 6, e.g. [0, oo[ = 
M_i_. [a; 6], ]a; 6[, [a; 6[, and ]a; h] stand for discrete intervals, e.g. [a; h] = [a, h] fl Z. 

For any sets A and B, f: A^ B denotes a map of A into B, and 5^ is the set of all 
such maps. Operations involving subsets of are defined pointwise [49, Appendix A], 
e.g. A + A':={u + u'\ueA,u'e A'} and (p{[0, t] , A) := {(p{r, oj) \ r e [0,t] ,oj e A} if 

A. A' C M", M X M" ^ and t G M. 

C*^ denotes the class of k times continuously differentiable maps, and C'''^, the class of 
maps in C'' with (locally) Lipschitz-continuous kth derivative. 

B. Behaviors 

Given an arbitrary set W called signal alphabet, any subset B C W'^+ is a behavior 
on W [43]-[46], [50]. Hence, elements of B are infinite sequences w: — )■ W, which we 
call signals. We denote the value of the signal w at time k hj w^. The backward r- shift 
u'^ is defined by (o^w)^^ = Wr+k- The restriction of S to / C Z+, B\i, is defined by 
B\i :~ {w\i I w e B}. B is time-invariant if a^B C B is N -complete, or equivalently, 
B has memory span N, ii N E Z+ and B = E | Vi-gz^ {a^w)\[o-N] G i?|[o;Ar]}- A 
superset B' of a behavior B C W'^+ is called an abstraction of B, and B' is additionally 
called discrete if it can be realized by a finite automaton. 

C. Discrete-time systems 

In (1) with right hand side G: X x U — ii:Z_,_— represents an input signal 

and x: Z_|_ — )■ X, a state signal. A trajectory of (1) is a sequence (x, u) : Z_|_ X x U for 
which (1| holds for all k G Z_|_. The collection of such trajectories, which is a subset of 
(X X U) is called the behavior of (1). The general solution ip: Z+ x X x — )■ X of 
(1) is the map defined by the requirement that {ip{-,xo,u),u) is a trajectory of (1) and 
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■0(0, xq, u) — xo- Of course, it is not necessary to specify u on the whole time axis, so we 
may write 

i/j{k, Xo, Wo, ■ ■ ■ , Uk'-i) := ip{k, Xq, 'u|[o,fe'[) := i>{k, Xq, u) 
whenever k' > k. We will often assume the following. 

(Hi) X C is open and G: X x U ^ X is such that for all u eU, the map G{-, u) is 
a C^-diffeomorphism onto an open subset of X. 

We will say (Hi) is fulfilled with smoothness if (Hi) holds with G{-,u) of class 
rather than merely C^. 

III. Computation of abstractions 

In the present section, we shall develop an efficient algorithm for computing abstrac- 
tions of (1) that can be represented by finite automata. Intuitively, our approach is 
that of successively expanding the behavior of (1) and may be seen to comprise four 
approximation steps: State space quantization, approximation by the smallest discrete 
abstraction, approximation by a collection of convex programs, approximation by a 
collection of linear programs. 

The purpose of state space quantization is to conservatively approximate (1) using 
a finite signal alphabet, which is an important prerequisite for a finite automaton ap- 
proximation. Unfortunately, 1-completeness of the behavior of (1) is usually lost, and 
in general the behavior of the quantized system is not A^-complete for any A^. In order 
to reintroduce iV-completeness, which is sufficient for a finite automaton representation 
to exist, we approximate the quantized system again, this time by the smallest discrete 
abstraction of memory span N . A problem with the latter abstraction is that it may only 
be computed exactly for special cases of both systems (1) and state space quantizations. 
Two more approximation steps yield further abstractions, which are both A^-complete 
and characterized in terms of computationally tractable problems. Specifically, we first 
replace each quantizer cell by a suitable superset whose attainable sets are known to 
be convex, and then determine tight polyhedral over-approximations, i.e., collections of 
supporting half-spaces, of the latter. This yields abstractions characterized in terms of 
linear programs. As it turns out, each half-space can be obtained as a solution of a 
system of linear equations derived from (1) and of differential equations derived from (2), 
respectively. 

A. State space quantization 

Quantization of the state space of (1) is realized by supplementing (1) with a quantizer; 
see Section I. 

The system C of quantizer cells is chosen as follows. We first define a region K of the 
state space X of (1) whose local dynamics is deemed an essential part of the behavior of 
(1), then choose a finite covering C' of and finally supplement C' by additional cells 
in order to obtain a covering C of W^. Intuitively, K is the intended operating range of 
the quantizer, whereas cells in C \ C" represent overfiow symbols. 

Of course, what is considered essential local dynamics depends on the purpose of our 
analysis of (1), and our choice of C' will also be infiuenced by other particularities of the 
problem at hand; hence a general rule for the choice of the quantizer cannot be given. 
However, the following hypothesis should be fulfilled in order to ensure the correctness 
of the algorithm for the computation of abstractions we are going to present. 
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(H2) The input alphabet U is finite, and C is a finite covering of whose elements are 
nonempty convex polyhedra. For each cell A G C" C C there is a superset, denoted A in 
the sequel, for which A C X and attainable sets ip{k, A, u) are convex for all k G [1; A^] 
and all m: [0; k[ ^ U , where ip denotes the general solution of (1), and A^, the memory 
span of the abstraction we seek to obtain. 

In the present section, the above condition plays the role of an assumption. The non- 
trivial question of how to verify it is postponed to Section IV. 

B. Smallest discrete abstractions 

Let B C (U xC)^+ denote the behavior of the quantized system (1),(3), and let N e Z+ 
be given. The N- complete hull Bm of B is the intersection of all A'^-complete behaviors 
B' C {U X Cf+ that contain B subset. Under the name strongest N -complete 

approximations, iV-complete hulls have been introduced and investigated by MoOR and 
his collaborators, e.g. [44], [45]. It has been shown that B C S^v+i C Bj^ and that A^- 
complete hulls are indeed A^-complctc.Thus, the map that assigns to B its iV-complete 
hull Bm is a closure operator [51], and B^ is the smallest discrete abstraction of memory 
span TV of B. Moreover, Bjq admits the following characterization [44], [45]. 

III.l Proposition. Let C he a covering ofW, N eZ+,u: [0; N]^U, A: [0; N] C, 
ip the general solution of (1), B the behavior of the quantized system (1),(3), and Bjq the 
N -complete hull of B. Then 

Bn = {w: Z+ ^ W \ \/rez+ (<7^w)|[o;jv] e -B|[o;jv]} ■ 

Moreover, the sets Mq, . . . , Mjv defined by 

Mk = {i/^ik, xo, u)\xoe X, V^e[o;fc] Xq, u) G A^} (5) 

satisfy Mk = A^ fl G{Mk-i,Uk-i) for all k G [1; A^], and for all k G [0; A^] we have 
{u,A)eB\[o-k] ifJMk^^. 

In view of Proposition III.l, computing an exact representation of the /c-complete hull 
Bk of the behavior of (1),(3) would require verifying 

Mfe(tz,A)^0 (6) 

for all choices of sequences u and A, where Mk{u, A) is defined by the right hand side of 
(5). To verify (6), in turn, one must check whether there is some initial point Xq G Aq 
such that the trajectory generated by xq and u visits Ai, . . . , A^ at times 1, . . . ,k; see 
also Fig. 1(a). (In fact, Mk{u, A) consists of the vahies at time k of the trajectories that 
satisfy the latter condition.) To perform that test is, in general, an extremely difficult 
problem which may only be exactly solved in rather special situations. One therefore 
aims at efficiently computing discrete abstractions that conservatively approximate the 
smallest one, Bk, and resort to a test 

Mk{u,A)^$ (7) 

for some outer approximation Mk{u, A) of Mk{u, A), e.g. [28]. On the one hand, the set 
M{u, A) should have a simple structure in order to allow for efficiently testing condition 
(7). On the other hand, that set should approximate M{u, A) as accurately as possible, 
since Bk already is an over-approximation of the actual behavior of the quantized system 
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(1),(3) and the difference M(it, A) \ M(it, A) will inevitably lead to additional spurious 
signals. 

The following novel characterization of Bk, which is not valid in the more general setting 
of [44], [45], will be crucial in our determination of suitable candidates for Mk{u,A). 

111. 2 Proposition. Let C , N , u, A, ip and be as in Proposition III.l and assume in 
addition that G{-, u) is injective for all u & U. Then 

k 

Mk =f]ij{T,XnAk-r,u\lk-r;k[) (8) 

T=0 

for alike [0;N]. 

Proof (8) obviously holds for k G {0, 1}, so assume (8) holds for some k e [1; A^[. Then, 
using Proposition III.l, we obtain 

Mk+i = Afe+i n G(Mk, Uk) = Afe+i n G I Pi V'(t, X n Ak-r, u\[k-r-k[)^Uk 

\t=0 

Injectivity of G{-, Uk) implies G{A fl Uk) = G{A, Uk) fl G(-B, Uk) for any sets A and B. 
This together with G{ip{T, ■,u\[k-T;k[)-,Uk) = iP{t + 1, •, M|[fc-r;fe]) gives 

k 

Mk+i = Ak+1 n P ^/'(r + 1,X n Ak-r:U\[k-r;k+l[) 
r=0 

fc+1 

= Afe+i n p i>{T, X n Afe+i_^, u\[k+i-T;k+i[)- □ 

r=l 

C. Polyhedral over-approximations of attainable sets 

We endow the space with the standard Euclidean product (■!■), i.e., {x\y) = 
Yl^=i^iyi for any x.y G M"^. The derivative and the inverse of a map / is denoted 
by /' and f~^, respectively, and /* is the transpose of / if /: R" — )■ M™ is linear. 

111. 3 Definition. For any -diff'eomorphism V ^ W between open sets V,W Q W^, 
the complementary extension : V x M" — )■ x M" o/ $ zs defined by 

^0{p,v)^mp),{^'{p)-'yv). 

We further define 

P{p,v) ^ {x eW\{v\x -p) <0} (9) 

for all p, e R" and set 

P(E)= P P{p,v) (10) 

(p,D)es 

for S C R" X R". In words, (10) is the intersection of the half-spaces (9) represented by 

pairs (j9, v) G S. 

111. 4 Definition. A vector v E is normal to n C MJ^ at a boundary point p of Q if 
{v\x — p) < for all X eVl. We call E an outer convex approximation of Vt if VL P(E), 
and a supporting convex approximation of fl, if p e fl and v is normal to fl at p, for all 
(p, i)) G E. A finite outer (supporting, resp.) convex approximation is polyhedral. 
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Let us now return to the problem of suitable candidates Mk{u, A) for the test (7). If 
hypothesis (H2) holds and Aq, . . . , Ajv G C", we could define Mk{u, A) to be 

k 

Afe n P '0(t, Afe_^,'u|[fe_^;fe[), (11) 

T=l 

and since Ajv and all the sets ip{T, Aat-^, "^^liAr-r.Af^) ^.Te convex by (H2), the test (7) would 
be a convex program. The strategy we actually pursue is to take some suitable outer 
polyhedral approximation of (11) for Mk{u,A). Then the convex program (7) becomes 
linear, and the sets Mk{u, A) enjoy a recursive description. 

111. 5 Proposition. Assume (H2) for some iV G as well as (Hi), and let A : [0; N] 
C, u: [0; ^ [/ and E,S: [0; N] V{W x W), where V{-) denotes the power set. 
Assume further that is a supporting convex approximation of Ak for all k G [0; A?"], 
and 

So = So, (12) 
,Sfe = EfeUG'(-,^fe_i)0(5fe_i) forke[l;N]. (13) 

Then, for all k G [1;A^], G{-,Uk-i)''^{Sk-i) is an outer convex approximation of 
Pl^^^ '?/'(r, Afe_T-, M|[fc_T-.fc[), and in particular, Sk is one of (11). 

The above result will enable us to iteratively and efficiently compute the sets Mk{u, A) 
defined earlier. For given u and A, such sets correspond to P{Sk), i.e., to the intersection 
of the half-spaces represented by pairs {p, v) G of points p and normals v. In view 
of this implicit representation of polyhedra, (13) says that Mk{u,A) is the intersection, 
and not the union, of polyhedra P(T,k) and P{G{- , Uk-i)'^ (Sk-i)) ■ Moreover, in contrast 
to Mk{u.A), the set Mk{u,A) is not the intersection of attainable sets of quantizer cells 
under the dynamics of (1), which is why Propositions 111.1 and 111.2 cannot be applied 
to obtain the recursive description in Proposition III. 5. 

To prove Proposition III. 5 we need the following auxiliary result. 

111. 6 Lemma. Assume V ^ W is a -diffeomorphism between open sets V, C R" 
such that both D, C.V and ^{fi) are convex, and let p G fl. 

Then v G M" is normal to Q at p iff (p)^^)* v is normal to $(n) at $(p). In particular, 
E C M" X M" is a supporting convex approximation of fl iff ^^{Yl) is one of ^{VL). 

Proof. Let v be normal to Q at p and define w = ($'(p)~^)*f and q — $(p) as well as 
7: [0, 1] — 7- R": t ^ <l>^^(g + tiy — q)) for some y G $(^2). The map 7 is well-defined, 
differentiable and takes its values in Q, since q,y E ^(^) and $(f^) is convex. This 
implies the map a defined by a(t) = {v\j{t) — p) is non-positive as v is normal to Q at p. 
Furthermore, a is differentiable with a(fd) = 0, hence > a'(0) = (^v\{^~^)' {q){y — q)) — 
{w\y — q). As y is an arbitrary element of $(^^), w is normal to $(f2) at q. 

For the converse assume w is normal to $(i^) at q and observe ((($~^)'(g))~^)* w = v. 
The first part of this proof apphed to then shows that v is normal to Q at p. □ 

Proof of Proposition IIL5. Let Z_)_ — )■ and observe that '?/'(0,p, u) = p and %lj{k + 
l,p, v) — G{ip{k,p,v),Vk) for all k G Z+ and all p G X. Then, by induction, ip{k,-,v) 
is a C^-diffcomorphism between X and an open subset of X, which has two implica- 
tions. First, by (H2) and Lemma III. 6, ip{T, ■,u\[k-T;ki)^{'^k-T) is a supporting convex 
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Figure 2. Approximation principle underlying the algorithm in Fig. 3: Let u £ U and consider a cell A G 
C' whose image G{A,u) under the nonlinear map G{-,u) is non-convex. A is conservatively approximated 
by some set A, and A in turn, by a supporting convex polyhedron P(E(A)). S(A) is mapped under the 
complementary extension G(-,m)^. The result, in contrast to images under G{-,u), again represents a convex 
polyhedron, P(G(-, u)^(E(A))). By hypothesis (H2), G{A,u) is convex, which guarantees G{A,u) C G{A,u) C 
P{G{-,u)'^{E{A))). The latter set is the one that is actually computed. 



approximation of ^/'(r, Ak-r, u\[k-r;k[) for all k G [0; A^] and all r G [0; k]. Second, we have 

ij{k + 1, -, v)'> = G{; Vkf o ij{k, ; t;)0 (14) 

for all k G Z_(_, where o denotes composition [51], since obviously ($ o \I/)^ = $^ o for 
any diffeomorphisms $ and \1/ whose composition $ o v|/ is well-defined. We now show 

k 

G{;Uk-l)^{Sk-l) = [j^{T,;u\lk-r-M)^{^k-r) (15) 

T = l 

for all k G [l;iV], which proves the proposition. Observe first that (12) imphes (15) for 
k = 1, and then assume (15) holds for some k G [1; A^[. Then G(-, Uk)^{Sk) equals 

k 

G{;Uk)^{j:k)u\jG{;Uk)^{^P{T,-,u\^k-r-Mf{^k-r)) 

T=l 

by (13). The first set in this union is ipi^l, ■ , u\[k-k+i[)^ i'^k) , and by (14), the union of the 
last k sets equals IJr=i ^(''" + ") ^|[fc-T;fc+i[)^(Sfc-T)- This imphes (15) with k replaced 
by + 1. ' □ 

D. Algorithmic solution 

We now present an algorithm for efficiently computing discrete abstractions for the 
quantized system (1),(3), which is based on the geometric idea behind Prop. III. 5. See 
also Fig. 2. Since we are now investigating behaviors, which are sets of signals (m. A), 
the analogs of the sets 5*^ introduced in Proposition III.5 will depend on u and A, which 
is why we denote them by S{u\[r-r+ki, A.\[T-.T.+k]) in what follows. 

III. 7 Theorem. Let be n G N and N G Z_|_, assume (Hi) and (H2) hold, let S(A) he a 
supporting polyhedral approximation of A, for all A G G' , and let the map S : IJfcLo f^^^'^^^x 
(7[0;fc] p(]]j" X R"-) be defined by the output of the algorithm in Fig. 3. Then, for all 
k G [0; A^], the set 

{{U,A) e{Ux Gf+\\/reZ+P{S{u\[r;r+kl,A\[,,r+k])) 7^ 0} , 

which is denoted B^, is a k-complete discrete abstraction of the behavior of the quantized 
system (1),(3). 
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2: S{A) :-- 



Input: n, N, U, G, C, C"; E(A) for each A e C. 
1: for all A G C do 

S(A), ifAeC", 

0, otherwise 

end for 

for A; = 0, . . . , iV - 1 do 
for all M : [0; k + 1[ ^ U, A: [0;k + l]^C do 

if S{u\[o.k[,A\io.k]) = then 
S{u,A) :=0 

else if Afc+i n P{G{-,Uk)^{S{u\io.k[,A\[o;k]))) = then 

S{u,A) := W X R'^ 
else if Afc+i ^ C then 

S{u,A) :=0 
else 

S{u,A) := E{Ak+i)UG{;Uk)'>{S{u\io.,ki,^\m)) 
end if 
end for 
end for 
Output: S 



3 
4 
5 
6 
7: 
8 
9 
10 
11 
12 
13 
14 
15 
16 



Figure 3. Algorithm for the computation of outer polyhedral approximations of attainable sets that define a 
discrete abstraction of quantized system (1),(3). 



Proof. First observe the operations to be performed by the algorithm in Fig. 3 are well- 
defined. In particular, G{-,Uk)^ on lines 8 and 13 of the algorithm shown in Fig. 3 is 
well-defined by hypotheses (Hi) and (H2), and E(Afe+i) on line 13 is as well, by the test 
on line 10. 

Denote the behavior of quantized system (1),(3) by B. In order to show is k- 

complctc, let u: Z_|_ — ?> U and A: Z+ — )> C, and assume that for all r G Z+ there is some 
{v,T) e Bk such that (a^M)|[o;fc] = v\[o;k] and (cT^A)|[o;fc] = r|[o;fc]. This implies 

^ P{S{v\lo.k[, r|[o;fe])) = P{S{u\lr.r+k[, A|[^.^+fe])), 

thus {u, A) e Bk. 

Given arbitrary K e[0;N[,u: [0;K + 1[^U and A : [0;K + 1] ^ G, we now show 

P{S{u\io.k[, A|[o;fe])) = implies = (16) 

for all k e [0;^-!- 1], where Mk is defined by (8). According to Propositions III.l and 
III. 2, this implies B C Bk, and hence, proves the theorem. 

From the initialization of S on lines 1-3 of the algorithm and hypothesis (H2) it follows 
that P{S{Ao)) 7^ 0, thus (16) holds for k = 0. Assume now that (16) holds for all 
k e [0; K], for some K e [0; iV[, as well as P{S{u, A)) = 0. In view of fines 6 and 7, this 
impfies 5'(u|[0;fe[, A|[o;fe]) 7^ for all k e [0; K + 1]. We further obtain 

Ak+,nPiGi-,Ukf{S(u\[o-M^A\[o-,k]))) = (17) 
for k = K. Otherwise, S{u, A) would have been assigned its value on line 13, i.e., 

5'(li|[0;fe+l[, A|[0;fe+1]) = E(Afe+l) UG(-,lifc)*(5'('u|[0;fc[, A|[0;fe])) (18) 
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for k — K; thus the left hand side of (17) would be a subset of P{S{u, A)) = 0, which is 
a contradiction. 

Now assume (17) also holds for some k G [0; [. Then S{u\[o.k+ii, ^\io;k+i]) is assigned 
its value on line 9, hence P{S{u\[o.k+i[, ^\io;k+i])) = 0- From this and (16) we obtain 
Mfc+i = 0, and Proposition III.l yields Mk+i ^ 0. Thus, (16) holds for A; = X + 1. 

If, on the other hand, (17) does not hold for any k G [0; K[, then, in view of lines 2, 
6, 7, 10 and 11, we obtain G C for all r G [0;K], S{Ao) = S(Ao), as well as (18) 
for all k G [0; K[. Proposition III. 5 then shows that the left hand side of {17) for k — K 
contains M^^i as a subset, so (16) holds for = X + 1, and we are done. □ 

III. 8 CoroIIciry. Under the hypotheses of Theorem III. 7 and for all k G [0;A^], the 
requirement 

3a : z+^c {{u, A) G -Bfc and ^kei+Xk G A^) 

for sequences {u, x) : Z_|_ U xMJ^ defines an abstraction of the behavior of the discrete- 
time system (1). 

We remark that the algorithm in Fig. 3 contains just two nontrivial operations which 
need to be performed repeatedly, namely, the determination of the set 

G(-,Mfc)^(5(M|[0;fc[,A|[0;fc])), (19) 

which appears on lines 8 and 13, and the test for emptiness on line 8. The latter 
can be efficiently performed using linear programming techniques, since both A/j+i and 
P(G(-, Mfc)'^(5'(M|[o;fc[, A|[o;fc]))) are convex polyhedra. According to Definition III. 3, the 
former operation requires an evaluation of the function G{-,Uk) and the solution of a 
linear system of equations for each element {p,v) G 5'(w|[o;fe[, A|[o;fe]), 

p^Gip,Uk), (20a) 
v^D^G{p,Uk)*v, (20b) 

in order to obtain an element (p, v) of (19), which represents one half-space in the outer 
convex approximation (19). Here, Dif denotes the partial derivative of / with respect to 
the ith argument. 

In order to estimate the computational complexity of the algorithm in Fig. 3, we assume 
for simplicity that each of the sets A is approximated by m supporting half-spaces, i.e., 
m = |S(A)| for all A G C", where | • | denotes cardinality. It is then easy to see that for 
any given k G [0; A^[, the number of half-spaces needed to define all the sets (19) is at 
most m|C||f/|^+^, and these sets are represented by at most (A; + l)m half-spaces each. 
To estimate the number of tests for emptiness, we additionally assume that there is a 
constant A > 0, independent of |C|, such that the following holds. For any given set of 
the form (19), the test on line 8 has to be performed for at most A cells A^+i G C, and the 
set of these candidate cells can be provided in constant time. This holds, in particular, 
if the cells in C arc congruent compacta arranged in a regular grid. Then, for any given 
k, the number of tests on line 8 is bounded by A''"^"'^|C| It/I^^"*^. Note here that the values 
and X R", which may be assigned on fines 9 and 11, play a role similar to zeros in 
sparse matrices, and thus, these values do not need to be stored and computations on 
them do not need to actually be performed [52]. 

In summary, the algorithm in Fig. 3 requires the solution of 0(m|C| jL'^l^) instances of 
(20) and of 0(A^|C| |?7|^) finear feasibility problems in n variables with at most (A^-|-l)m 
inequalities each, where 0{-) is the usual asymptotic notation [53]. The parameters m 
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and |C| depend on the dimension n of the state space of (1), with |C| typically growing 
exponentially. Therefore, the computational effort has to be expected to grow rapidly 
with n, a problem that is common to all grid based methods for the computation of 
abstractions, e.g. [1], [8], [26], [27], [32]. 

We remark that apart from an increasing computational effort, application of the algo- 
rithm shown in Fig. 3 in dimensions exceeding 2 docs not pose any particular difficulties. 
This is obvious for the operations on lines 8 and 13, which we have already discussed, 
and also holds for the remaining operations. Specifically, for the computation of the 
supporting polyhedral approximations S(A) on line 2, several methods are available for 
a large class of sets A [53] . 

Finally, we would like to emphasize again that convexity of certain attainable sets is 
an important requirement for the correctness of the algorithm in Fig. 3, see hypothesis 
(H2). While for linear systems that requirement is always met by the choice A = A, the 
results of section IV will show how to meet it in the presence of non-linearities. 

E. Sampled systems 

Here we consider the case that (1) arises from a continuous-time system (2) under 
sampling. More formally, let a continuous-time control system (2) with F: X x V ^ 
and a set U of input signals be given, where X QMJ^, V C. M™-, each u & U is a piecewise 
continuous map u: [0, T] — )■ V, and T > is the sampling period. A map v : M+ V is 
an admissible input signal for (2), generated by u: Z+ U. if v{t) = Uk{t ~ kT) for all 
/c G Z+ and all t G [kT, {k + 1)T[. The set of admissible input signals for (2) is denoted 
V in the sequel. We assume the following. 

(H3) X C R" is open, the right hand side F of (2) is continuously diffcrcntiablc with 
respect to its first argument and continuous. Furthermore, for any xq G X and any 
admissible input signal w G V, the solution of the initial value problem composed of (2) 
and the initial condition a;(0) = Xq is extendable to the entire time axis R+. 

Discrete-time system (1) is called the sampled system associated with (2) if its right 
hand side is given by 

G{x, u) — (fi{T, X, u) 

for all a; G X and all u & U, where (p is the general solution of (2), i.e., (p{t,xo,v) is the 
value at time t of the solution of the initial value problem composed of (2) and the initial 
condition a;(0) = Xq. 

Obviously, the sampled system (1) associated with (2) fulfills (Hi) if (2) fulfills (H3), 
and ip{k,x,u) = ip{kT,x,v) for all a; G X and all k G Z+, whenever v is an admissible 
input signal for (2) generated by the sequence u : Z+ — >■ U and ip is the general solution 
of (1). Hence, our results for (1), including the algorithm in Fig. 3, can be directly 
applied to the sampled system (1) associated with (2) if the latter satisfies hypothesis 
(H3). In particular, (20) can be efficiently solved even though the right hand side G of 
the sampled system (1) is not explicitly given. The solution is obtained through solving 
an initial value problem in a 2n-dimensional ordinary differential equation (ODE) over a 
single sampling interval: 

III. 9 Proposition. Let (1) he the sampled system associated with (2) for sampling period 
T > 0, and assume (H^)- Then 

Gi;u)Oip,v)^ixiT),y{T)) 
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Figure 4. (a) Geometric idea behind our derivations in Section IV for the continuous-time system (2): If Q, is 
an Euchdean ball of radius r and the right hand side F of (2) is of class C^'^, then the attainable set <^(T, il, u) 
is convex whenever T or r is small enough. This idea does not extend to smooth, strictly convex sets Q, nor 
to right hand sides F of class . (b) The smallest intersection A of a finite number of closed balls of radius r 
containing a polyhedron A is a subset of any r-convex ellipsoid (dashed) containing A. 



for all u & U , p E X and t; G M", where {x, y) denotes the solution of the initial value 
problem 

x{t) = F{x{t),u{t)), (21a) 
y{t) = -DrFix{t),u{t)ryit), (21b) 
x(0) =p, y{0) = V. (21c) 

Proof. Assume u is continuous and let ip denote the general solution of (2). (H3) im- 
plies if is continuously differentiable, X := D2ip{-,p,u) fulfills the variational equa- 
tion X{t) = DiF{x{t),u{t))X{t), and X(0) = id, e.g. [54]. In particular, G{-,u) is 
a C^-diffeomorphism, so its complementary extension G{-,u)^ is well-defined. Further- 
more, (X(-)~^)* fulfills the adjoint equation (21b), e.g. [54]. Thus, {DiG{p,u)~^)* v = 
(XlT)"^)* V = y{T). The extension to piecewise continuous u is obvious. □ 



IV. Convexity of attainable sets 

In this section we will investigate the convexity of attainable sets of control systems 
(1) and (2). To begin with, we briefly explain the geometric idea behind our derivations 
using the example of the continuous-time system (2). Consider a set f2 C R" of class C^, 
denote its boundary by dfl, let x G dfl be an arbitrary boundary point, and let f be a 
unit-length normal to Q at x. Let rj^ be a C^-map defined on the tangent space of dQ at 
X that represents the boundary dQ locally about the point x in local coordinates, with 
the origin located at x. That is, rj^ is such that in a neighborhood of x we have y G dQ 
iff there is a tangent vector h to dfl at x such that y = x + h + v ■ rjxih). See Fig. 4(a). 
The map rj^ is locally uniquely determined by VL and satisfies ?7x(0) = and ?7^(0) = 0. 
Moreover, Vt is convex iff ?7^'(0) is negative semi-definite for every x G dVt [47], where rj'^ 
denotes the second order derivative of rj^. Consequently, if the right hand side F of (2) 
is of class C^, the issue of convexity of attainable sets can be decided by studying the 
evolution of ?7^'(0) under the dynamics of (2). The realization of that idea in the case that 
f2 is a Euclidean ball centered at some point xq reveals that the attainable set ^{T, Vt, u) 
is convex whenever the time T or the radius r of is small enough [47]. See Fig. 4(a). 
Moreover, bounds on T and r can be derived from properties of the right hand side F of 
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(2). These results generalize to ellipsoids at the place of balls and can also be generahzed 
to the case of C^'^-smoothness by using suitably generalized second order derivatives [47]. 
They do not, however, extend to smooth, strictly convex sets, nor to right hand sides of 
class C^. In particular, attainable sets ip{T,fl,u) can then be non-convex for any time 
T > 0. 

In the present section, we will replace ellipsoids by strongly convex sets. Here, the set 
Q C R" is strongly convex of radius r, or r-convex for short, if it is an intersection of a 
family of closed balls of radius r > 0, i.e., if 

n = Pi B{x,r) (22) 

xeM 

for some M C M", where B{x,r) denotes the closed Euclidean ball of radius r centered 
at X. fl is strongly convex if it is r-convex for some r > [55], [56]. 

In view of the method proposed in Section III, the use of strongly convex rather 
than ellipsoidal supersets of quantizer cells allows for more precise approximations of 
attainable sets, and thus, for more accurate abstractions. Indeed, in contrast to the case 
of ellipsoidal supersets, the error s by which P(E(A)) approximates the cell A in Fig. 4(b) 
is quadratic in the edge length s of A, and it can be shown that this property carries 
over to approximations of attainable sets of A. See also Fig. 2. 

We will also extend previous results to the discrete-time case (1). Our results not 
only allow verification of the requirements for the correctness of the algorithm of section 
III when a particular quantizer is given, but they also help in constructing admissible 
quantizers. In particular, we show that if hypothesis (Hi) is fulfilled with sufficient 
smoothness and Y C M" is a compact, full-dimensional, convex polyhedron, then choosing 
sufficiently small scaled and translated copies of Y as operating range quantizer cells will 
guarantee that the stated requirements of section III are met. 

As the problems investigated in this section become trivial in dimension 1, we assume 
a multidimensional setting, i.e., n >2 throughout this section. 



A. Convexity of diffeomorphic images of strongly convex sets 

We first present a sufficient condition for the diffeomorphic image of a strongly convex 
set to be itself convex, which will be the basis of all subsequent results. In what follows, 
we write x ± y if {x\y) =0 and denote by || ■ || the Euclidean norm of both vectors and 
linear maps. The closure, interior and boundary of a set M C is denoted clM, intM 
and dM, respectively. We set fh'^ :— f{h, . . .,h) if / is /c-linear. 

IV. 1 Proposition. Let^: U ^ V be a C^'^ -diffeomorphism between open sets U,V CW^ 
and fl C U be r-convex, Q ^ M". Assume that for each x e dfl there is a unit length 
normal v to fl at x such that 

,,^^,^m-'m^^t()-nm)^^^^^. (23) 

t^o,t>o t r 

holds for all ^ ± V, ^ 7^ 0. Then ^{fl) is convex. 

It should be noted that the left hand side of (23) equals {v\^'{x)~^^"{x)^'^) if $ is of 
class C^. In addition, if (23) were not a strict inequality and if f2 is a closed ball of radius 
r, the condition is known to be necessary and sufficient for the convexity of ^{fl) [47]. 
However, this does not prove the proposition, despite representation (22). Indeed, (23) is 
only required to hold at boundary points x of fl. Hence, even if all balls that appear in 
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(22) are in the domain of definition U of (23) may very well be violated at boundary 
points of these balls. 

In the course of proving Proposition IV. 1 we will say that Q is weakly supported at 
p e dfl locally whenever there is some neighborhood U oi p and a non-zero normal to 
Q n [/ at p [49]. Further, we will call /: C/ — >■ R a C^'^ -submersion on its zero set if the 
following holds: / is continuous on the open set U C R", and for every zero x oi f, f is 
of class C^'^ on a neighborhood of x and f'{x) is surjective. 

IV.2 Lemma. Let : [/ C R" — >■ R &e a C^'^ -submersion on its zero set, Q, — {x&U\ g{x) < 
and assume g{Q) — and 

liminf^>0 (24) 

t^o,t>o t 

for all h G kergf'(O) \ {0}. Then Vt is weakly supported at locally. 

Proof. Set V = g'{0)* /\\g'{0)\\. An application of the implicit function theorem to the 
equation g{h + \v) = for /i e ker5f'(0) and A e R shows that fl can be represented 
locally about by a map rj: W C ker g'{0) — )■ R of class C^'^, W an open neighborhood of 
the origin. That is, for h and A small enough we have /i + A^; e iff A < rj{h). Combine 
this with the identity {v\h + \v) = A and the definition of weak local support to see that 
it suffices to show ri{h) < for all sufficiently small h. In order to prove the latter, first 
observe that ri{0) = and ri'{0) = 0. Then differentiate the identity g{h + rj{h)v) = 
with respect to h and use the Lipschitz continuity of g' to obtain 

limsu-p ri'{th)h/t = -\\g'{0)\\-Himmi g'{th)h/t 

t->0,t>0 t^O,t>0 

for all h e ker(yf'(0). If g is of class C^, then so is r), the left hand side of the latter 
equation equals ri"{0)h'^, and the claim follows from (24). If g is merely C^'^, use again 
(24) and apply [57, Theorem 3.2]. □ 

Proof of Proposition IV. 1. The claim is trivial for = and Q a singleton, so we 
assume Q contains at least two points. Then Q has nonempty interior by Lemma A.l 
in the Appendix. In addition, Q is compact and convex. Hence ft — cl(int(n)) and 
int(f2) is connected, and these properties are preserved under diffeomorphisms. Moreover, 
int(<l>(f2)) = $(int(i7)) since $ is a diffeomorphism. 

We will show below that int($(f2)) is weakly supported at each of its boundary points 
locally. Then, since that set is also open and connected, it is convex [49, Theorem 4.10], 
which implies its closure $(fi) is also convex. 

Let X G dQ be arbitrary and v be as in the statement of the proposition, and assume 
X = $(a;) = without loss of generality. Then fl C B{—rv,r) since Q is r-convex and 
compact [55, Proposition 3.1]. Now define f{z) = \\z + rv|p — and g = f o to 
observe that g{y) < is equivalent to y e $(S(— rv,r)), hence 

<^mc{yeV\g{y)<0}. (25) 

We claim that the set on the right hand side of (25) is weakly supported at the origin 
locally. To prove this, first observe that g' is a C''^'^-submersion on its zero set since / is 
one and $ is a C-'^'^-diffeomorphism, and that g{0) = 0. Then differentiate the identity 
/ = (7 o $, observe f'{t^)^/t = 2||^|p, and use the Lipschitz continuity of g' and the 
continuity of $' to see that 2||^|p equals 

hniinf {g'{th)h/t + 2r (^|$'(0)-^($'(iO - $'(0))e> A) 
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whenever h = $'(0)^. The identity g'{0)^'{0)^ = 2r {v\C) and (23) for aR ^ ± v, C 
imply (24) for all h € ker ^''(O) \ {0}, and an application of Lemma IV.2 proves our claim. 

Now, since the origin is also a boundary point of $(^2), and since the right hand side 
of (25) is weakly supported at the origin locally, so is $(f2), and hence, int($(r2)). □ 



B. Convexity of attainable sets of discrete-time systems 

We next present a result that enables us to verify hypothesis (H2), and hence, to 
establish the correctness of the algorithm proposed in section III for the computation 
of discrete abstractions of the quantized system (1),(3), whenever a particular quantizer 
together with its system C of operating range cells is given. In what follows, Dj f denotes 
the partial derivative of order j with respect to the ith argument, of the map /. 

IV. 3 Theorem. Assume (Hi) with smoothness C^'^ , let ip denote the general solution 
of (1), and let N & N and C. X be r-convex with 7^ R". Assume that there are 
Li, L2 e ]R such that 

Li > a+{DiG{x, w)f/a-{DiG{x, w)), (26) 

\\DiG{x,wr'DMx + h,w)-id\\ 
L2 > hm sup (27) 



for all {x,w) e il){[0; N[,il,U^+) x U C X x U, where a+{A) and a_{A) denote the 
maximum and minimum, respectively, singular values of A. Then the attainable set 
ip{k, fl, u) is convex for all k e [0; N] and all u: Z+ U if 

N-l 

rL2 ^ L[ < 1. (28) 



T=0 



Proof. We may assume fl contains at least two points as well as k = N without loss of 
generality. By our hypotheses on the right hand side G of (1), the map $ := ■0(-^) -^u) 
is a C^'^-diffeomorphism between an open neighborhood of Q and an open subset of X. 
We first prove the claim under the assumption that (28) is strict by applying Prop. IV. 1 
to $: 

Let X e V any unit length normal to at x, and ^ -L v. For t small enough and 
k e [0; N] define yk{t) — D2'4^{k, x-\-t^, u)^. Then yo(0 — ^iid ^^e sequence y{t) solves 
the variational equation to (1) along ■0(-, x + i^, u), i.e., 

yk+i{t) = DiGiijik, X + 1^, u),Uk)yk(t) (29) 

for all k e [0;N[. Next define Zk{t) = (ykit) - ykiO))/t for i > small enough. Then 
zo{t) — 0, and the sequence z{t) solves another linear difference equation, namely, 

Zk+i{t) = DiG{ip{k, X, u),Uk)zk{t) + bk (30) 

for all k e [0; iV[, where bk denotes 

{DiG{^{k, X + t^, u),Uk) - DiG{^{k, x, u),Uk)) yk{t)/t. 

Note that in the case of C^-smoothness, if we let t tend to 0, then (30) reduces to 
the variational equation (whose solution is D2'4'{k,x,u)^'^) of the variational equation 
(29). Now observe {k,ko) D2'ip{k,x,u)D2ip{ko,x,u)~^ is the transition matrix of the 
homogeneous system associated with (30), use the identity 

^'{x)-\^'{x + to - ^'{x))^/t = D2^{N, X, u)-hN{t) (31) 
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and apply the discrete variation of constants formula [58] to (30) to see that the left hand 
side of (31) equals 

N-l 

J2 D2ilj{r, X, u)-^D^G{^4j{r, x, u),Ur)-%. (32) 

T=0 

Prom the variational equation of (1) along ip{-,x,u) we obtain 

\\D2^{t + 1, X, U)\\ < a+{D,G{P, Ur))\\D2^{T, X, u)\\, 

iin u ^1 N-i|| ^ MMilli^^^^ll^ 
\\D2ij{r + l,x,u) \\< — — --, 

a-{DiG{p,Ur)) 
where p = iplr, x, u); hence, by our hypothesis (26), 

\\D2^{t,x,u)-^\\ ■ \\D2ilj{T,x,u)\\'' < LI (33) 

for all X e fi, m: Z+ ^ [/ and r G [0; A^[. 

Let £ > be arbitrary Then \\D2ip{T,x + tC,,u)\\ < {1 + s)\\D2ip{T,x,u)\\ whenever t is 
small enough. Use this fact, the bound (27), the mean value theorem, and (33) to obtain 
the upper bound {l + efL2U\\'^ J2r=o ^1 ^r the norm of (32), for all x e Q, -u: Z+ [/ 
and all t > small enough. Now let e tend to to see that the strict variant of (28) 
implies (23), hence the convexity of $(^2). 

To complete the proof, assume VL is of form (22) and define 

e(s)= fl ^(x,s) (34) 

for s > 0. Then $(B(s)) is convex for all s < r by the first part of this proof. By 
Lemma A. 2, 0(s) converges to Q in Hausdorff distance, and that property is preserved 
under diffeomorphisms. Consequently, $(il) is the limit of convex sets, and thus, is itself 
convex [59]. □ 

We remark that the hypotheses of Theorem IV.3 can be verified by inspection of the 
right hand side G of (1). Indeed, suitable constants Li and L2 are obtained from estimates 
of singular values of DiG{x,w) and of a Lipschitz constant of DiG{x,w)~^ DiGiy^w) 
with respect to respectively. In this regard, note also that L2 is just a bound on 
\\D-iG{x,w)''^D\G{x,w)\\ if the right hand side G is of class with respect to its first 
argument. 



C. Construction of admissible quantizers 

We now turn to the question of how to construct an admissible quantizer. Let there 
be given some e N and a compact subset C X of the state space X of the discrete- 
time system (1) together with an open neighborhood V Q X ol K. Intuitively, N is the 
memory span of an abstraction we seek to compute, K is the intended operating range of 
the quantizer, and V can be thought of as a maximal operating range, i.e., X\V should 
be covered by overflow symbols. Of course, our choice of iV, K and V would depend on 
particularities of the problem we intend to solve. 

In addition, let there be given a full-dimensional, convex polyhedron Y C together 
with a strongly convex set Y containing y as a subset. Denote the general solution 
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of the discrete-time system (1) by ip. We will first choose a finite set C of scaled and 
translated copies of Y that cover K, i.e., 



for some A > and some finite subset Z C W\ and then supplement C by overflow 
symbols to obtain a finite cover C of R" for which (H2) holds. Our choice will further 
guarantee Z + \Y C V and that the attainable sets ip{k,z + XY,u) are convex for all 
k e[l;N], z e Z, andu: [0;k[^ U. 

Assume without loss of generality that the origin is an interior point of Y and F is 1/2- 
convex, and denote the distance between K and \ by d. Then d > as K is compact 
and V is open, and K + \Y is compact and contained in V for any A e ]0, d]. Hence 
K' := tp{[0; N[, K + \Y,U^+) is compact if U is finite. If (Hi) holds with smoothness 
C^'^, then G{-, w) is a C^'^-diffeomorphism, so we may choose Li, L2 and A > such that 
A/2 < r := (12^2 r=o and (26) and (27) hold for all (x,w) E K' xU, as well as 

K + XY C V. Then XY is r-convex, thus attainable sets ■ip{k, z + AF, u) arc convex for 
all A; e [1; A^], z e X and [0; k\^U\iy Theorem IV.3. 

Since A > 0, is compact and the origin is an interior point of y, we can find a 
finite subset Z C AT for which (36) holds, and we could even guarantee if C Z + A int F 
if necessary. Finally, Lemma A. 3 in the Appendix shows that if the set C is defined 
by (35), it can be supplemented by convex polyhedra to obtain a finite covering of R". 
We have thus proved the following result, which easily extends to the case of a compact 
rather than finite input alphabet. 

IV.4 Theorem. Lei the input alphabet U of the discrete-time system (1) be finite and 

assume (Hi) with smoothness C^'^. Let further be given some N eN, a compact subset 
K C X , an open neighborhood V E X of K , as well as a full- dimensional, convex 
polyhedron F C R" together with a strongly convex set F C R*^ for which F C F 7^ R'^. 
Then there is a finite subset Z C R", some A > 0, and a superset C of the set C defined 
by (35) such that (H2) and 



hold. Moreover, A n int A' = for all A e C \ C and all A' G C, and one may 
additionally require An K — for all overflow symbols A E C \ C' . 

D. Convexity of attainable sets of sampled systems 

We finally provide two results useful for sampled systems. 

IV.5 Theorem. Assume (H^), let the right hand side F of (2) be of class C^'^ with 
respect to its first argument, and let (p denote the general solution of (2). Let t > and 
Vl C. X be r-convex with Q 7^ R". Further assume that there are Mi, M2 E R such that 



for all (x, w) E </'([0, t] ,Q.,V)xV C. X xV , where //+(^) and At-(^) denote the maximum 
and minimum, respectively, eigenvalues of the symmetric part {A-\-A*)/2 of A. Then the 



C' ^ {z + XY\z E Z} , 
KCZ + XY 



(35) 
(36) 



K C Z + XY C Z + XY CV 



Ml > 2fx+{DiF{x,w)) - H-{DiF{x,w)), 
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attainable set (p{T, ft, v) is convex for all r e [0, t] and all admissible input signals v &V 

rMs / exp (Mip) dp<l. (37) 
Jo 

Proof. We may assume Q, contains at least two points as well as r = t without loss of 
generality. By our hypotheses on the right hand side F of (2), the map $ := (p{t, •, v) 
is a C^'^-diffeomorphism between an open neighborhood of Jl and an open subset of X. 
We assume Q, is of form (22), define 0(s) for s > by (34), and prove </?(t, 6(s), u) is 
convex for any s G ]0,r[ by applying Proposition IV. 1 to The theorem then follows 
from Lemma A. 2. 

To this end, set I = [0,t] and X' = (f{I,iTiiVL,v), and define f : I x X' ^ W hy 
f{T,x) — F{x,v{t)). Since X' is an open neighborhood of </?(/, ©(s), v), the ODE x — 
f{t, x) fulfills the hypothesis of [47, Theorem 3]. The proof of the latter result shows that if 
V is continuous, then for any x & X' and any e > we have \\^'{x)^^{^'{x+h) — ^'{x))\\ < 
(1 + £:)^M2||/i|| Jq exp (Mip) dp for all sufficiently small h. The extension to piecewise 
continuous v is straightforward. Then (37) implies (23) with s substituted for r and C 
substituted for v, for any x G dQ{s) and any C,^ G R" with ||C|| = 1 and ^ 7^ 0. Thus 
$(6(s)) is convex by Proposition IV. 1. □ 

IV.6 Theorem. Assume (H3), let the right hand side F of (2) be of class with respect 
to its first argument, and let Lp, t, ft, and r be as in Theorem IV. 5. Assume further that 
there is a constant L2 such that 



5 

D2ip{T, X, v)-'DIF{p{t),v{t)) {D2ip{T, X, v)hf dr 



< L^WhW (38) 



for all X E ft, S & [0,t], v & V and h G R", where p(r) = (p{T,x,v). Then the attainable 
set (fi{T, ft,v) is convex for all r G [0,i] and all admissible input signals v eV if rL2 < 1. 

Proof. As in the proof of Theorem IV. 5, we assume ft contains at least two points and 
r = t, define G(s) by (34), and observe $ := (f(t,-,v) is a C^-diffcomorphism. Let 
X E X , h E M"", f G V, and define y{t) = D2(p{t,x,v)h. Then y{0) — h, and y solves the 
variational equation to (2) along (p{-,x,v), i.e., 

y{t) = D,F{^{t,x,v),v{t))y{t) (39) 

for all t > 0. Next define z{t) — D2^{t,x,v)h^ . Then z{Qi) — 0, and z solves another 
linear ODE, namely, 

z{t) = D^F{^{t, X, v),v{t))z{t) + DlF{ip{t, X, v),v{t))y{tf (40) 

for all t > 0. (Note that x is a parameter rather than an initial value in (39).) Now observe 

{t^to) I— 7> D2^p{t,x,v)D2ip{tQ,x,v)~^ is the transition matrix of the homogeneous system 
associated with (40) and apply the solution formula for linear differential equations [54] 
to (40) to see that $'(a;)~^$"(a;)/i^ equals the integral in (38) with t substituted for 5. 
Proposition IV. 1 shows $(6(s)) is convex, and the theorem follows from Lemma A. 2. □ 

Theorems IV. 5 and IV.6 with the choice t — N • T provide sufficient conditions for 
attainable sets of the sampled system (1) to be convex, as required in hypothesis (H2) 
of Section III. In the case of Theorem IV. 5, that condition can be verified directly from 
properties of the right hand side F of the continuous-time system (2) by estimating 
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Figure 5. Example investigated in Section V: The pendulum (a) is swung up by the hybrid control system (b). 



eigenvalues and a Lipschitz constant, with M2 being just a bound on ||D^F(a:, if F 
is of class with respect to its first argument. In contrast, application of Theorem 
IV. 6 requires estimating the integrand in (38). That higher effort often pays off when it 
results in larger bounds on r than (37). Note that, in view of the algorithm proposed 
in this paper, larger bounds will typically translate into lower computational complexity; 
see Fig. 4(b). 



V. Example 

In this section we shall demonstrate an application of our results from Sections III and 
IV within the framework of abstraction based supervisory control of sampled systems by 
solving a nonlinear, global problem with constraints. To begin with, consider the system 



xi = X2, (41a) 
X2 — —io^ sin(2;i) — uu? cos(xi) — 27x2, (41b) 

which describes the motion of a pendulum mounted on a cart. Here, uj and 7 are 
parameters, specifically, 7 is a friction coefficient, and x\ is the angle between the 
pendulum and the downward vertical. See Fig. 5(a). The motion of the cart is not 
modeled; its acceleration u is considered a control. 

We seek to swing up the pendulum by means of the hybrid control system shown in 
Fig. 5(b), which possesses a simple hierarchical structure. The low- level controller is 
to stabilize the pendulum at its upright position. That is, the point (vr, 0) becomes an 
asymptotically stable equilibrium of the closed loop composed of (41) and the low-level 
controller, so there will be some non-trivial, positively invariant subset E of its stability 
region. The supervisor, on the other hand, would force the state from some neighborhood 
of the origin into E and on success, would hand over control to the low-level controller. 
The supervisor will be realized by a finite automaton, which is why it is connected to the 
continuous plant via interface devices [3], to the effect that the open loop composed of 
actuator, pendulum and generator is represented by the sampled and quantized system 
(1),(3) associated with (41). 

A suitable low-level controller together with a positively invariant set E is straight- 
forward to determine [11], [60]. For example, if > and < 7 < cj, the afiine state 
feedback u = 2{n — Xi — X2/0J) stabilizes (41) at (vr, 0), with the positively invariant 
ellipsoid 

E = (tt, 0) + {x e I QZuj'^xl + I2UJX2X1 + 56x1 < 42a;^} 



Gunther Reii3ig 



Computing abstractions of nonlinear systems 



21 




(a) (b) 

Figure 6. (a) The state space of the pendulum system (41) is covered with quantizer cells. Supervisors designed 
on the basis of abstractions of memory span A'^ € {2, 3} force the sampled and quantized pendulum system into 
the stability region E of the low-level controller, from anywhere in the indicated regions. The region for A*' = 3 
contains the origin; one particular trajectory is shown, (b) Problem from (a) with extra constraints in the form 
of three obstacles in state space, which are labeled H in the illustration. 



being a subset of the stability region. Here we focus on the design of quantizer and 
supervisor. So, let us consider a sampled version (1) of (41) and impose the constraints 

\x2\ < vr, (42a) 
\u\ < 2, (42b) 

which model physical limits of an experimental setup. For the sake of simplicity, we 
choose controls to be constant on a common sampling interval [0,T], specifically, 

U = {t ^ 0,t ^ -2,t ^ 2} 

in the notation of Section II-C. This guarantees the sampled system (1) fulfills hypothesis 
(Hi). 

We next design a suitable quantizer (3) as part of the generator device in the hybrid 
control system of Fig. 5(b). To this end, assume that the control constraint (42b) is 
satisfied and that problem data and sampling period are given by 

a; = 1,7 = 0.01, T = 0.2. 

Theorem A. 4 in the Appendix shows that the attainable set ip{t, Q, u) is convex whenever 
O C is r-convex, r > 0.4, and < t < 3T = 0.6, where if denotes the general solution 
of (41). This implies any translated and possibly truncated copy of the regular hexagon 
given by its set 

^{(0, ±2), (v^, ±1), (-v^, ±1)} (43) 

of vertices, which has circumradius '7r/(8A/3) < 0.23, may be chosen as a quantizer cell in 
the computation of abstractions of memory span up to 3. Further, in view of the state 
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Table I 

Computation of abstractions of the pendulum example. 

N half-spaces polyhcdra states transitions 

~ TTtO 4T059 306 4246 

2 22914 97203 4552 35734 

3 69048 351523 36040 220442 



constraint (42a) we may restrict our investigation of the dynamics of (41) to the region 
K defined hy K — x [— tt, tt]. So, let us choose C as a set of 304 translated copies 
of the hexagon (43), each intersected with K. This intersection either leaves a hexagon 
unchanged or results in an irregular pentagon; see Fig. 6. Finally, supplement C with 
two overflow symbols, 

C = C"u{Rx [7r,oo[,R X ]-oo,-7r]}. 

Note that since the right hand side of (41) is periodic in x with period (27r, 0), wc have 
implicitly considered the system (41) on the cylinder [11], [54]. Having said this, C can 
really be regarded as a covering of the state space of (1). 

With the choices we have made above, hypotheses (Hi) and (H2) in Sections H and HI 
are fulfilled. In particular. Theorem A. 4 in the Appendix shows that for each cell A e C", 
we may choose the smallest intersection of six closed balls of radius 0.4 containing A 
for the set A in hypothesis (H2); see Fig. 2. We finally choose S(A) to consist of six 
sujjporting half-spaces of A as in Fig. 2, and analogously for the pentagons in C. The set 
E(A) is then supplied to the algorithm in Fig. 3 to compute abstractions of the sampled 
and quantized pendulum system defined earlier. The results are summarized in Tab. I: 
The memory span of the abstractions we have computed, the number of half-spaces 
determined from solutions of ODE (21), the number of polyhedra tested for emptiness, 
and the number of states and transitions in a finite automaton realization [43]-[45] of the 
abstraction. The data in Tab. I highhghts the fact that half-spaces are shared among 
polyhedra, which is an important feature of the algorithm from Section HI. Indeed, 
while each transition corresponds to a non-empty intersection of half-spaces, the number 
of those transitions by far exceeds the total number of computed half-spaces if A^ > 1. 

In order to obtain a suitable supervisor for the control system of Fig. 5(b), we solve 
certain auxiliary control problems posed in terms of the abstractions already computed. 
So, let A^ G {1,2,3}, denote by i^^r the abstraction of memory span A" that we have 
computed, define a start region S and a target region Z by 

S = {Ae C'l (0,0) e A}, 
Z^{AeC'\ACE}, 

see Fig. 6, and consider the following problem: Determine the supervisor in the form 
of a map 

R- [Jk=iU''~^ X ^ U such that whenever (m. A) G Bn, Aq G S, and 
Mfc = R{u\T^k-N;k[-i ^\\k-N;k]) fo^ all k G then there is some A; G Z+ such that A^. G 2" 
and At G C for all r G [0; k[. This specification requires that if (m. A) is any signal that 
may possibly be produced by the closed loop composed of the supervisor R and some plant 
that realizes the behavior Bj^j^ and if that signal additionally starts in S*, then it remains 
in C until it eventually enters Z. While its specification is not a complete behavior [43], 
that kind of discrete control problem is equivalent to a shortest path problem in some 
hypergraph [61], and thus, can be efficiently solved [62]. In fact, we have been able to 
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Figure 7. Dependence of run times in seeonds on the number |I7| of controls, the miniber m of half-spaces 
supporting A, and the number \C\ of quantizer cells, of an implementation of the algorithm in Fig. 3 with 
Mathematica 7.0 [63], run on four threads of an Intel Xeon CPU E5620 (2.4 GHz). Plesults for memory spans 1, 
2 and 3 correspond to the symbols o, and 0, respectively, which are filled iff the corresponding abstraction has 
lead to a solution of the control problem considered in Section V. (a) |C| = 182, m = 6. (b) \U\ = 3, |C| = 182. 
(c) \U\ = 2, m = 6. 



obtain a supervisor R in the case = 3, and to prove there is none enforcing the above 
specification if iV G {1,2}, with run times neghgible compared to the ones observed in 
the computation of the abstractions. Specifically, for N — 3, the target region is reached 
within at most 27 steps. It follows that R is compatible with the actual plant, i.e., with 
the sampled and quantized pendulum system defined earlier, and also enforces the above 
specification when combined with that plant rather than with the abstraction B^, on 
which the design of R was based [46]. See also Fig. 6(a). 

Modifying the above example, we have varied the number of controls, the number 
of supporting hyperplanes, and the number of quantizer cells. Sec Fig. 7. Given the 
fact that the reported run times have been obtained from interpreted rather than from 
compiled code, we expect that the algorithm in Fig. 3 can also be successfully applied to 
systems essentially more complex than (41). See also [64]. Fig. 7(b) also demonstrates the 
importance of accurately approximating attainable sets. In particular, we have verified 
for the quantizer used in Fig. 7(b) that the control problem considered in this section 
could not be solved using ellipsoidal rather than strongly convex supersets of quantizer 
cells. 

We have additionally investigated a scenario with extra constraints in the form of 
obstacles in state space, by simply treating the obstacle cells as overfiow symbols. The 
results illustrated in Fig. 6(b) show that our approach would also be feasible in the 
presence of complicated constraints such as the ones regularly met in motion planning 
problems [12]. 

Finally, we would like to point out that the supervisors wc have designed solve control 
problems for a sampled version of (41). In fact, the discrete abstractions we are using are 
not capable of representing the evolution of continuous-time systems between sampling 
times, and hence, control problems for the latter systems cannot be treated directly. 
However, solutions for an important class of continuous-time control problems can be 
obtained from solutions of auxiliary problems for sampled systems using a robust version 
of the original specification, e.g. [65]. For the problem considered in this section, a robust 
specification could easily be obtained by tightening state constraints, i.e., by decreasing 
the bound (42a) and enlarging the obstacles in Fig. 6(b) by a suitable amount. 
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VI. Conclusions 

We have presented a novel algorithm for the computation of discrete abstractions of 
nonlinear systems as well as a set of sufficient conditions for the convexity of attainable 
sets. While the usefulness of the first relies on the second contribution, the latter may be 
of separate interest. Practicability of our results in the design of discrete controllers for 
nonlinear continuous plants under state and control constraints has been demonstrated 
by an example, and we also expect their use to be of advantage in attainability and 
verification problems. 

The algorithm proposed in this paper is the first one that not only yields abstractions of 
finite but otherwise arbitrary memory span that are suitable for solving general control 
problems, but also applies to nonlinear systems under rather mild conditions, which 
essentially reduce to sufficient smoothness in the case of sampled systems. Previous 
approaches are confined to abstractions of memory span 1 with two exceptions, which 
apply only to monotone dynamics [28] and are not rigorous and limited to solving 
reachability problems [39], respectively. We emphasize that increasing the memory span 
may be the only way to improve the accuracy of abstractions up to a level at which 
analysis and synthesis problems can be solved. One example is networked control systems 
[13], where quantization effects are part of the systems to be investigated and state space 
quantizations cannot be arbitrarily refined. 

Its wide applicability and the fact that it builds on relatively simple computations 
distinguishes our approach from competing techniques even if we restrict ourselves to 
abstractions of memory span 1. In particular, some methods only apply to systems whose 
continuous-valued dynamics is defined by ordinary difference and differential equations 
with multi-affine or polynomial right hand sides [29]-[31], or require stabihty [26], [27] or 
deriving a state space partition in accordance with the exact system dynamics prior to 
their application [40]-[42]. Others require the use of interval arithmetic [32]-[35], deciding 
satisfiability of formulas over certain logical theories [36] , or solving complex optimization 
problems [23], [37], [38]. 

Finally, a distinctive feature of our method is that the error by which attainable sets 
of quantizer cells are over-approximated is quadratic in the size of the cells. This has 
been achieved by extending our earlier results from [47], [48] to apply to strongly convex 
sets rather than merely ellipsoids. Due to this improvement, our method will outperform 
the sampling method [25] and any other method whose approximation error depends 
linearly on the dispersion [12] of some grid, e.g. [26], [27], [50], whenever highly accurate 
abstractions are to be computed. 

The techniques we propose can currently be applied to systems with finite input 
alphabets only and additionally depend on the ability to design suitable quantizers. 
The latter can be quite demanding, despite the results presented here. An extension 
to systems with continuous inputs and an automated procedure for designing quantizers 
would considerably enhance our method. It should also be extended to account for 
disturbances and uncertainties, including numerical discretization errors and the effects 
of finite arithmetic in order to address robustness issues and to obtain validated results. 
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Appendix 

A.l Lemma. Let r > 0, z e M.^, x,y e B{z,r), x ^ y, and s — \\x — y|p/(8r). Then 
B{{x + y)/2,s)CB{z,r). 

Proof. Let A be an arc of a circle of radius r joining x and y whose length does not 
exceed nr. Then A C B{z, r), e.g. [55], and min {\\a — {x + y)/2\\ \ a e A} — r — {r^ — 
\\x — y|p/4)^/^. The latter is easily shown to be bounded below by s. □ 

The H aus dor ff distance between any non-empty, compact subsets M, C is defined 
to be the infimum of r e R+ for which both M C TV + 5(0, r) and C M + 5(0, r) [59]. 

A.2 Lemma. Let M C R", M ^ 0, and define <S){s) = {^^^j^B{x,s) for all s > 0. // 
r > and 6(r) contains at least two points, then lims_^r,s<r ©(•s) = 6(r) in Hausdorff 
distance. 

Proof. 0(s) is convex and compact for any s > 0, and 0(r) possesses nonempty interior 
by Lemma A.l; hence 0(r) = cl(int(0(r))). If p G intO(r), then p G 0(s) whenever s is 
sufficiently close to r, in particular, 0(s) ^ 0. Thus the Hausdorff distance between G(s) 
and ©(r) is well-defined. Moreover, given £ > and y G ©(r), there is p G int©(r) with 
\\p — y\\ < e, hence y G 0(s) + B{0,e) for some s < r. where B{x,r) denotes the open 
Euclidean ball of radius r centered at x. This shows 0(r) C IJse]o r[(®('^) + -^(0!^))! ^^^d 
compactness of 0(r) implies 0(r) C 0(s) + B{0,s) for some s < r, hence for all s < r 
sufficiently close to r. □ 

A. 3 Lemma. Let Pi, . . . , C M" be convex polyhedra. Then cl(E" \ Ui=i Pi) is the 

finite union of convex polyhedra. 

Proof. For any polyhedron M = G | Ax < 6}, A an m x n- matrix, h G M™, m > 1, 
the closure of R"\M equals IJj=i {a^ ^ 1^" | ^j^^ > where denotes the jth row of A. 

Therefore, cl {w \ [jf^^ P^ = Hti d (»" \ Pi) = flti suitable half-spaces 

Qjj. Since intersection and union distribute over each other, the right hand side of the 
previous identity equals [jj^ji flig/ Qiji^ where / = [1; k] and J = [1; m]. □ 

A. 4 Theorem. Let t > and assume the input u to the pendulum equations (41) is 
piecewise continuous with \u{t)\ < u for all r G [0,t]. Define 

u) — max |l, |a;| (l -|- -u^)^^^! , 

12Q^ (l + (a; + 7)^)-3/2 

^ ~ sinh(3a;i) + sinh(Oi) (12(a;-2 + l)-3/2 _ 3) ' 

where max denotes the maximum, and assume 0<-f <IQ and 2{u}^ - -f^)^/H < tt. Then 
the attainable set Lp{t,Q,u) is convex for any r-convex subset Q C where (p denotes 
the general solution of (41)- 

Proof. First note that the right hand side of (41) is linearly bounded [54], which implies 
</9(r, M^,-u) = for any r G R+. One may therefore assume Vt ^ without loss of 
generality. Then apply Theorem IV. 6 and use the estimate 

uP'luir) cos((^(t, Xq, u)i) -\- sin((^(T, Xq, u)i)\ < cD^, 
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the fact that D2(fi{-, x, u) fulfills the variational equation to (41) along (/?(•, x, u), Cramer's 
rule, and the formula of Abel-Liouville [54] to see that it suffices to show 



fe'^^\\{DMr,Xo,u)),j'dT<l/r. 
Jo 



I e'^^\\{D2^{T,Xo,u)),Xdr<l/r. (44) 

Here, the subscript "1,-" denotes the first row. Now set k — (0)^ + 7^)^'^^ and observe 
(1 + (k + 7)^) < (1 + (a) + 7)^) Q"'^ to obtain the upper bound 

:i + (a; + 7)2) cosh(2«:T) + ^^— (45) 



for the squared norm of the first row of exp (r ( ^2 ) ) . The second step of the proof of 
[47, Theorem 6] shows (45) is also an upper bound for \\{D2(p{T, Xq, u))i^.\\'^ . Next show 

cosh ((9^^ + (a + 4/3)^)V^) 

hia) := — - e'^ < (46) 

^ ^ cosh(Q; + 4^) ^ ^ 

for all a, ^ > 0. The choice a — 2(a) — 47/3)t, P = 27T/3 then yields the upper bound 

e-47T/3 / 1 \ 

^^(1 + {Q + 7)^) [cosHQrr - j (47) 

for \\{D2(p{t, xo,u))i^.\\'^ . Indeed, the map h defined in (46) is continuous, and for every 
a > 0, h'{a) exists and is a positive multiple of 

tanh(/i + z/)/tanh(/i) — (/i + i/)//x, (48) 

where /i = a + A(3 and v = (9/3^ + /i^)^^^ — /i- (48) is monotonically decreasing with 
respect to u > and vanishes for 1/ = 0. Thus h is monotonically decreasing on M_|_. This 
proves (46) since h{0) < 0. 

Finally, consider the map g defined on [0, 1] by 

This map is concave since g"{s) < 0, and 5^(0) = ^'(1) = 0; thus g is non-negative. For 
the choice s — cosh(a)T)~^, this together with the bound (47) implies ||D2</7(t, xq, w)i,.|p 
does not exceed 

e-^^^u}-^(l + (u} + 7)2)^/2 (cosh(a}T)3 - cosh(cI;T) (l - uj^{u}^ + 1)-^/^)) , 
which directly implies (44). □ 
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